When Mitch Liu’s cellphone suddenly stopped working on a Monday in mid-February last year, the CEO of Cupertino-based streaming platform SLIVER.tv knew to act fast.
The 48-year-old Los Altos resident called AT&T, which informed him that someone claiming his identity and armed with his Social Security number walked into one of the mobile provider’s stores to request a new SIM card. By texting from the stolen phone number, the SIM thief reset the password to one of Liu’s secondary Gmail accounts before AT&T regained control.
Five weeks went by before the next hack. At 11:55am on March 19, 2018, Liu got a text from AT&T notifying him of another password change—this time to his primary emails, which held a fount of personal and financial information. Using Google’s two-factor authenticator, the hacker began resetting passwords to Liu’s cryptocurrency exchanges. Some $10,000 went missing.
A day later, Liu’s wife got a call from her husband’s number. Liu answered to hear a voice at the other end of the line that sounded deep and robotic—clearly disguised.
Liu hung up.
The caller persisted, sending texts to Liu’s daughter. “TELL YOUR DAD TO GIVE US BITCOIN,” one read. Police say the hacker also slid into Liu’s social media accounts. Posing as Liu, the identify thief began hitting up contacts about borrowing cryptocurrency. REACT—short for the Regional Enforcement Allied Computer Team—responded by hacking the hacker.
Using call details obtained from AT&T by a search warrant, they mapped out the suspect’s whereabouts, which centered around Boston. Records further revealed that the Samsung device to which the hacker switched Liu’s number was associated with an email for Joel Ortiz, a then-18-year-old high school valedictorian who still lived with his mom about a mile-and-a-half from Harvard University.
Turned out, Liu was merely a test run.
REACT detectives discovered that Ortiz stole more than $7.5 million from upward of 40 victims—two of whom reside in Silicon Valley. The young man—who spent his ill-gotten gains lavishly on $100,000 nights at Los Angeles clubs, Airbnb mansion rentals, private helicopter rides to music festivals and designer luggage and clothing—agreed to pay restitution and pleaded no contest on Jan. 24 to 10 felony counts of theft. On Friday, Santa Clara County Judge Edward Lee sentenced him to a decade in prison.
The case, first reported by the Mercury News, proved remarkable—and not just for the youth of the perpetrator and the flamboyantly reckless way he frittered away his loot and bragged about it online. It was a first in more ways than one.
For REACT—a small unit of local officers managed by the Santa Clara County District Attorney’s Office and one of just five such task forces in California—it was the first investigation of its kind. Officers pursuing Ortiz say they knew next to nothing about illegal SIM-swaps when they launched the probe, which turned into the kind of interstate operation typically handled by federal agencies.
By the time officers caught up with Ortiz at LAX last summer, it became the first arrest of its kind—not just for REACT, but nationally. And when Ortiz copped to the crimes earlier this year, he became one of the first in the country to be convicted of pilfering digital money through cellphone hacking.
Ultimately, Ortiz’s irresistible urge to gloat about his heists led to his capture—and a few critical missteps led the REACT unit to other suspects.
Xzayver Narvaez, a 19-year-old from Tracy, was arrested in mid-August last year after police noticed that a cellphone used by Ortiz for SIM-swapping had been used to log into a Google account identified as [email protected] Narvaez, who allegedly spent the proceeds of his crypto-heists on high-end sports cars, is now on supervised release at his Central Valley home and due in court May 2 for a preliminary hearing.
On Sept. 24, REACT arrested Kansas City native Joseph Harris on suspicion of pillaging $14 million in cryptocurrency tokens from San Jose-based Crowd Machine CEO Craig Sproule. A few months later, detectives busted Fresno’s Kalvin Ung for allegedly stealing $500,000 in cryptocurrency from a dozen victims. New York City’s Nicholas Truglia was subsequently arrested for numerous alleged SIM swap-related thefts throughout the US, including one that took $1 million from a Cupertino dad’s college fund for his daughters.
Deputy DA Erin West said the accused SIM-swappers have almost nothing to show for their alleged crimes. Police seized $400,000 from Ortiz, but say the rest of those millions were either spent or hidden.
“These are not Robin Hoods,” West said in a news release announcing the sentencing this week. “These are crooks who use a computer instead of a gun. They are not just stealing some ethereal, experimental currency. They are stealing college funds, home mortgages, people’s financial lives.”
All three men are held at the Elmwood Correctional Facility in Milpitas.
Cybersecurity expert Brian Krebs, a former Washington Post reporter who runs the site KrebsOnSecurity.com, told San Jose Inside that the only way for consumers to protect themselves from heists like the one pulled by Ortiz and his ilk is to disconnect their cellphones from anything they care about online. That’s because PINs and security questions can be bypassed if somebody pays off a mobile phone company clerk to override those safeguards.
“So many places online require you to provide a phone number when you set up an account, which means that if somebody gets control of your phone number, they can then reset the password for a ridiculous number of accounts,” he said. “And all these mobile companies say they can put passcodes and PINs in place, but none of that matters if there’s crooked employee.”
Krebs advises people to use a Google Voice number for account sign-ups instead.
“Mere mortals cannot get Google on the phone, so, in a weird way, that’s a benefit,” he said. “There’s no employee there to bribe.”